Will fingerprint sensors eliminate smartphone passwords?

FIDO Alliance claims that the first biometric scanners, designed to eliminate the need for traditional web and app passwords, are expected to make their debut on Android handsets within the next six months.

A group of leading companies that includes Lenovo, PayPal and Google in its ranks, the FIDO Alliance is on a mission to make web authentication far more secure without making the process of logging on needlessly complicated. In February it set out on a mission to create a scalable open standard that any manufacturer or web-based service can integrate that will replace the text-based password with a biometric alternative. Eight months on, it looks as if the initiative is bearing fruit.

In an interview with USA Today, FIDO's president and former chief information security officer for PayPal Michael Barrett revealed that the alliance's growing power and support means that the first step towards safer, more secure internet use is just six months away, meaning that soon he'll be able to swipe a finger across a smartphone in order to access his online accounts.

Barrett makes no secret of his hatred of the traditional password and its frailties. During a keynote address at Interop Las Vegas in May, he declared all-out war on it. "Our intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole Internet -- including internally in enterprises -- obliterate user IDs and passwords and PINs from the face of the planet," he said.

Advertisement

Apple's latest flagship phone, the iPhone 5S, already sports a fingerprint scanner that the company calls Touch ID and which is currently limited to the locking and unlocking of the phone's screen and as a way of authenticating the owner when making iTunes and App Store purchases. However, a number of analysts believe that Apple's leap of biometric faith will help pave the way for other device makers to follow suit and push the technology into the mainstream.

"What Apple has done with Touch ID is to improve the usability of identity verification on mobile devices -- to make it more convenient," said Alan Goode, MD of analyst firm GoodeIntelligence.com and long-time biometrics champion, "I believe that the main driver for adoption of biometrics into consumer electronic devices is the mass adoption of smart mobile devices and the challenges this poses for strong authentication and identity verification -- in other words how do we securely prove identity on a mobile device without affecting the user experience. Passcodes and One-Time-Passwords are not the most convenient way to prove identity on a mobile device, especially when we are on the move."

And while Bennett too is happy to see Apple upping its security game, he points out that the company is not currently a FIDO member (unlike its arch rival Google) and therefore Touch ID is not currently compatible with FIDO's own biometric technology. "Our view is that it's possible Apple might choose to start using FIDO, but that's probably a couple of years out," he told USA Today.

And while consumers should rejoice that the traditional password's days are finally numbered, they shouldn't expect an overnight revolution. Adoption will take time, bugs will have to be ironed out and new user habits will have to be learned.

As fellow FIDO member and CEO of Nok Nok Labs, Phil Dunkelberger, says in the same interview: "We didn't create the current authentication mess overnight, so it's going to take us a while to fix it. We need to educate the marketplace that it is possible to make things more secure for business and easier for consumers, while still ensuring that legitimate privacy concerns are respected."

For now, the best option for security-conscious consumers is to consider a password manager, such as Last Pass or 1password. They create fiendishly difficult, impossible-to-remember, and most importantly, unique passwords for each web service a consumer accesses and stores them all behind a master password. When arriving on a log-in page, the password manger, if activated, will automatically fill in all security fields.